Penetration Testing mailing list archives
Re: Pentesting tool - Commercial
From: "Andre Gironda" <andreg () gmail com>
Date: Tue, 4 Mar 2008 14:04:42 -0700
On Tue, Mar 4, 2008 at 12:54 PM, Trygve Aasheim <trygve () pogostick net> wrote:
This might be a bit hard for you to understand, I see that, but just trust me - ok? There is a world outside of web servers and web applications. There are tests that needs to be done outside the scope of owasp, and there are companies with more complex systems than those of auction sites.
I'm not talking solely about web applications for auction sites. Did you read my bio somewhere?
Parts of this world contains servers that performs different tasks like backup, store databases, process data, pass mail etc. You also have clients, routers, switches, as well as the wide variety of different systems that perform security tasks at different levels. This is usually referred to as an infrastructure. Most companies have this, and it's quite fascinating.
After being primarily an autodidact operator for 12 years, I think I'm allowed to speak to these needs as equally as I do about web applications or auction sites. A lot of this comes from my experience as a BGP and Internet data center LAN operator. For the assessment work I've done in the past two years on "infrastructure"... yes, I wish that I had access to something like Nipper, Redseal, or Skybox. Yes, I wish I had access to Core Impact, Qualys Guard, and Canvas+packs. Would they have been worth the money printed to buy them? No, I can safely say that all of these assessments were better done without these "tools". The manual inspection of every line of configuration - whether IOS, CatOS, JunOS, ScreenOS, et al - is more important. Even for web servers this is true - certainly the Apache Cookbook and the logging / event-handling recommendations from the Web Application Hacker's Handbook have quite a lot to add to the process of securing a web application. I'm not an open-source bigot, but I can't argue with the free nature of Nipper, the CIS benchmark tools, and many of the freely available guides. Comparing GFI LANguard Network Security Scanner 8 to Qualys Guard is a stretch, but one is free for 30-days with issues fixed and the other is only a free 14-day trial with issues left open. I admit that not all of my logic is perfect... as long as the penetration-testing industry is willing to admit that 99% of their testers and tools are 99% invalid and unworkable. How is any consulting company supposed to address all of these issues in two-week window of opportunity? Core Impact RPT might be fast, but it's also going to put these assessment consulting companies out of business if they have to pay into an expensive tool that still only views 10% of the issues without fixing any of them.
So, in this thing called infrastructure - you also have vulnerabilities. Either through bad design, implementation, wrong use or configurations of software at different levels or due to lack of maintenance. Some of these can be found and addressed quite quickly by the use of tools, while others needs manual testing before they reveal themselves.
Some of these issues can be found using these tools. But not all of the issues can be. The primary "issue" that penetration-testing tools address is awareness. They bring light (and hopefully funding) to a huge problem. I spoke to an easy and scaled way of handling this, which included Core Impact at the end of a formal process a few emails back. The deliverable shouldn't be awareness - it should be workable solutions. Most of the time - these aren't technical at all. Strategy consulting is a good start to any project of this nature, and while the cost might be the same as a two-week assessment, it only takes up 1-2 days of a client's time, which really equates to much better savings for the client because a two-week assessment is a large investment for them. I would hit a few key areas: 1) Software acquisition. How does the client acquire new software? Does it come with hardware out-of-the-box (e.g. installed on a router)? 2) Software update. How does the client upgrade/update their software? 3) Software configuration. How does the client configure their software? How do they handle changes? 4) Software development. Does the client write their own software? What processes do they use? I'm fairly impressed with the BITS Shared Assessments Program Standardized Information Gathering questionnaire as a starting point, which is also available in a SIG-Lite version. Note that you don't have to be under SOX, ISO27k, or PCI "law" to follow COBIT, ISO 27002, or PCI-DSS. When I say, "workable", I am referring to the "root-cause" of the vulnerability problems in any given organization. I know that many penetration-testing tool, assessment based organizations, vulnerability research businesses, and "security" consulting companies base all of their future income on FUD in order to sell more products/solutions (and seem to get off on this fact). I find this demoralizing and reprehensible.
I common approach is to do a full test using a lot of tools that address known vulnerabilities, common design flaws and such - in combination with penetration testing tools to sort of false positives and confirm what sort of consequences a breach would have. In combination with firewall policy analyzes, looking at the routines surrounding security all the way from development to maintenance you'll have some sort of baseline to work out from when it comes to the level of security. The work will also reveal how well the company can detect and address events.
Firewall policy analyzers? Testing the monitoring and response capability? You really think these are valuable?
Yeah - I answered on your trap, and I knew it would end up in another rant - like the ones you've been delivering the last 10+ years. And yeah, I know that even though this looks like text to the rest of us, for you it's just a rorschach that makes you go off with a new rant - usually pretty far away from the subject.
I appreciate that you understand where I'm coming from. If my way of educating you isn't working for you, then I suggest you figure it out on your own by researching the facts for yourself. Cheers, Andre ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: Pentesting tool - Commercial p1g (Mar 03)
- <Possible follow-ups>
- Re: Pentesting tool - Commercial Ivan Arce (Mar 03)
- Re: Pentesting tool - Commercial Andre Gironda (Mar 04)
- Re: Pentesting tool - Commercial Trygve Aasheim (Mar 04)
- Re: Pentesting tool - Commercial Andre Gironda (Mar 04)
- Re: Pentesting tool - Commercial Trygve Aasheim (Mar 04)
- Re: Pentesting tool - Commercial Andre Gironda (Mar 04)
- AW: Pentesting tool - Commercial puppe (Mar 05)
- Re: Pentesting tool - Commercial Andre Gironda (Mar 04)
- RE: Pentesting tool - Commercial Clint P. Garrison (Mar 05)